You could be forgiven for rolling your eyes when Apple revealed that it was all set to transform the world of mobile payments with incredible, groundbreaking innovations like NFC (near field communication) and a dedicated chip (or Secure Element) to store your details safely.

The idea of tapping your smartphone at a terminal to pay for something is not new. Google Wallet was released in the U.S. back in 2011 and it featured NFC and the Secure Element. A number of potential competitors have popped up since then including PayPal, Square, and Softcard.

Despite the availability of mobile payment systems the adoption by consumers has been slow. Apple may be behind the curve, but it’s not messing about. Apple Pay comes with a wide range of banks and businesses as partners, and since it uses industry standards there’s no reason that any of these new terminals won’t work with all the existing payment solutions on Android.

Why haven’t mobile payments taken off?

I was writing about the potential of NFC almost exactly two years ago. Mobile payments are just the highest profile use case for the technology, but the sticking points I identified back then haven’t changed.

There’s a lot of competition in this space.

There’s a chicken and egg situation with retailers in that they don’t want to spend on terminals until there’s a big enough user base, but the user base can’t grow without more places accepting mobile payments.

There’s a good reason that companies won’t work together and establish a single payment option and it’s nicely summed up by this prediction from Sandy Shen, research director at Gartner: “We expect global mobile transaction volume and value to average 35 percent annual growth between 2012 and 2017, and we are forecasting a market worth $721 billion with more than 450 million users by 2017.”

Whoever handles those payments can scrape off some kind of small percentage transaction fee, and that’s going to amount to a lot of money. So we end up with MasterCard’s PayPass, the Google Wallet, Apple Pay, Softcard (you can probably guess why they changed the name from Isis Wallet), and more. That’s just the NFC payment line-up; there are also alternatives like PayPal trying to stake a claim in this market.

MasterCard definitely wins the fingers-in-pies prize because it supports its own solution, PayPass, but it’s also onboard with Softcard, Google Wallet, and Apple Pay. Since there are established industry standards now for the tap and go technology, we should see more cross-over like this.

Apple Pay is also going to help deal with the second point as well, by encouraging all those retail partners announced at the reveal to install the necessary technology in their stores.

How is Apple Pay different?

There’s one pretty important difference with Apple Pay that makes it more appealing and convenient as a solution. The Touch ID allows you to skip the PIN entry requirement and just rest your finger on the Home button. It’s really slick and quick, and it’s relatively secure.

Consider the improved transaction experience in-store at a terminal where you no longer have to enter a PIN, and at home shopping online where you don’t have to worry about passwords or card details.

I realize that Samsung introduced this with the Galaxy S5 where you can scan your fingerprint for PayPal payments, but Verizon blocked it and the functionality doesn’t extend to things like Google Wallet for NFC payments. It also just isn’t as slick as Touch ID, which doesn’t require a swipe motion. Samsung has made improvements with the Note 4, but it needs to do more to tie mobile payments to the finger scanner and match Apple’s offering.

The power of marketing

How many of you actually use Google Wallet? Are you aware of all the places that accept it? The truth is that Google didn’t throw a lot of weight behind it. It’s also only available in the U.S. in the mobile payment app form. The lack of a wider roll out more than three years after release says a lot.

A new technology like this, that requires consumer trust, needs to be marketed heavily. You have to reassure people that their details are safe, that the system works, and that it will offer a real advantage. None of the OEMs really got behind it either.

It’s easier for Apple to promote something like this; it doesn’t even need to set aside a much bigger marketing budget because it has big name partners onboard with a vested interest in advertising Apple Pay support. It also has one product line and it can include Apple Pay as another feature on the list for all of its ads, and it generates a huge amount of news coverage whenever it does something new. Mobile payments are old news, but look at the new wave of interest in the press because Apple has made a move.

Apple Pay will also only be available in the U.S. to begin with, but I bet Apple is quick to roll it out internationally where it can steal a march on Google.

A real wallet replacement?

There are still issues with mobile payments and the idea that your smartphone can really replace your wallet simply won’t fly with a lot of people. What happens when the battery dies? Support is far from universal. The advantage over plastic is arguably limited.

But as more and more places begin to support mobile payments as an option, you can be sure that adoption will grow. It looks like Google has squandered its early lead in the mobile payment space, but the fact that Apple would never allow something like Apple Pay to work cross-platform, ensures that Google and others can take advantage of the renewed interest it generates.

What do you think? Do you use NFC for mobile payments? Would you like to? What’s good and bad about the experience? What would tempt you to jump onboard? Hit the comments and tell us.

]]>http://www.androidauthority.com/apple-pay-mean-android-543140/feed/83ARM’s built-in security and how it might just get rid of the passwordhttp://www.androidauthority.com/arms-built-security-might-just-get-rid-password-397924/
http://www.androidauthority.com/arms-built-security-might-just-get-rid-password-397924/#commentsWed, 15 Oct 2014 07:03:26 +0000http://www.androidauthority.com/?p=397924

In the increasingly connected world in which we live the security of our information is paramount. Not only are government agencies trying to tap all our communications, but so are cyber-criminals so they can sell our data to make money. Unlike any other time in history how our data is protected is vital, not only to businesses, but also to individuals.

Built into every Cortex-A based processor is a clever piece of technology called TrustZone.

ARM processors can be found at the heart of most smartphones and tablets, as well as in a range of other popular consumer devices. And these very same ARM chips have a built-in weapon that help every smartphone user protect themselves.

Built into every Cortex-A based processor is a clever piece of technology called TrustZone. It provides a small, certifiable Trusted Execution Environment (TEE) that is isolated from the main operating system (e.g. Android) and as such is completely immune to software level attacks.

The TrustZone runs its own bespoke operating system. When the processor switches to the trusted environment then Android has no interaction with what is running there, in fact Android doesn’t even know that the secure environment is running. Complete hardware isolation.

Processors with TrustZone can execute instructions in one of two modes: the normal world, where untrusted code executes, and the secure world, where secure services run. Both modes have independent memory address spaces and different privileges.

The Normal world mode cannot access the secure world address space, but code running in the secure world can access the normal world address space. The processors support a special address bit, the NS bit, that indicates which world the processor is currently using.

Because the processor can only be in one mode or the other, there is a mechanism which tells the CPU to switch modes. This is done via a special instruction called the Secure Monitor Call (smc). When the CPU executes the smc instruction, the hardware switches and performs a secure context switch.

Real World

So what does that mean for the average user. Imagine that you need to connect to your online banking. At the moment there are a variety of two step authentication methods that can be used to ensure that you sign in securely. Some banks send SMS messages to your phone, while others issue their customers with bespoke bits of hardware which generate special authentication codes. The idea is that even if a cyber thief gets your username and password, they won’t have access to the secondary bits of information.

What TrustZone provides is a way for service providers (like banks) to integrate the secondary step, in the two part authentication process, in the phone itself. Since the TrustZone is completely isolated then there is no danger of any malware, other nefarious attack vectors, being used to get the authentication codes.

For example, a user might want to pay for some goods from their smartphone. An Android app on the smartphone is used to process the initial part of the payment. Then the processor switches to the secure OS. This OS can control the display and asks the user to tap in their PIN number. It is then encrypted and passed back to Android. While the secure OS was running Android had no interaction with the screen and knows nothing about what happened. This isolation is done at the hardware level. Finally the Android app takes the encrypted PIN number and uses it to authenticate with the payment service. Any spying that occurs will only be able to capture encrypted data, even if the spying happens on the smartphone itself.

Since the TrustZone OS is custom built and can’t be installed via a general installation method (like via the Play Store) then each service provider would need to create a special smartphone with its trusted software on it. This itself isn’t feasible. However it is possible to create a general Trusted Execution Environment kernel which has the capability to install certified trust apps.

ARM is also working on its own Trusted Firmware.

To make this trusted execution environment more accessible to secure service providers then companies like Trustonic and Samsung (with its Knox 2.0 platform) are creating systems to allow trusted apps to be installed in the TrustZone. These trusted apps will be able to handle a wide range of authentication tasks from secure sign-in to payment processing.

ARM is also working on its own Trusted Firmware. Designed for 64-bit ARMv8 based processors, the open source project is released under a BSD-style license and the source code is available on Github. Due to its open source nature ARM hopes that handsets OEM’s can take the code and use it in their products. The goal of the project is to provide a reference implementation and as far as possible the code is designed for reuse or porting to other ARMv8 hardware platforms.

Secure boot

For a trusted execution environment to be truly trustworthy then the device’s boot process must be secure. To that end ARM is working with its partners to bring a secure boot process to Android handsets. Android boots by running a bootloader that prevents unauthorized secondary bootloaders and operating systems from loading. This Secure Boot process is implemented cryptographically verifying each step of the boot process. The certificate chain has its trusted root certificate stored in the TrustZone, isolated by the hardware.

Samsung’s implementation of the secure boot processes also verifies the Android firmware. Although this isn’t something that will delight users who like to install custom firmware, it is essential for enterprise (business) users which need to ensure that the security aspects of Android (like those provided by SE for Android) haven’t been disabled.

Samsung KNOX 2.0 measures certain key aspects of the bootloader and records them in secure memory. At runtime the trusted OS can verify those measurements and verify the validity of the Android firmware running. If the bootloader is unable to verify the Android kernel, a one-time programmable memory area (often known as a fuse) is used to indicate the suspected tampering.

Say goodbye to passwords

One organization which is using ARM’s TrustZone is the FIDO (Fast Identity Online) alliance. The mission of the alliance is to change the nature of online authentication by defining a set of mechanisms that reduce our reliance on passwords. ARM joined FIDO’s Board of Directors earlier this year where it works with the some of the world’s most influential corporations including Microsoft, Google, Bank of America and Samsung.

Samsung, ARM and FIDO have worked with PayPal to give customers a way to use their fingerprint for authentication when paying for goods or services from a Samsung Galaxy S5.

Its passwordless specification allows a user to register their device with an online service by selecting a local authentication method (such as swiping, facial recognition, entering a PIN, etc.). Once registered, the user repeats the same authentication action whenever they need to sign in to the service. TrustZone is used to provide the secure authentication action which is isolated from Android and any apps running. The result is some encrypted authentication data which is used to perform the sign-in process. As a result the user no longer needs to use a password when authenticating from that device. The user can even combine multiple authentication methods such as fingerprint + PIN etc.

Samsung, ARM and FIDO have worked with PayPal to give customers a way to use their fingerprint for authentication when paying for goods or services from a Samsung Galaxy S5. The FIDO Ready software on the S5 securely communicates between the fingerprint reader and PayPal’s servers. The only information the device shares with PayPal is a unique cryptographic code that allows PayPal to verify the owner’s identity, without having to store any biometric information on its servers.

With smartphone ubiquity increasing daily then the potential for Trusted Execution Environments, and the corresponding benefits for users, is huge. As it often the case, ARM is leading the way and the technology needed to get rid of passwords is probably already in your phone!

The Tizen powered Samsung Gear 2 has been waiting on its PayPal app since the company announced that it was bringing a new version of PayPal to Samsung wearable devices, as well as fingerprint-based payments on the Galaxy S5, back at MWC 2014. Well now, the app has now finally arrived, and appears as version 1.40.

The PayPal app for the Gear 2 allows users to check-in at local stores and pay for purchases, redeem offers, receive payment notifications, as well as view and manage recent transactions. The video below can probably give you a better look at what the service is like on a smartwatch.

In the midst of Google’s eventful IO keynote, Runtastic has stepped forward and announced they will be among the first to support some of Google’s most innovative products and platforms. Runtastic will be integrated into Glass, Android Wear and Google Fit, bringing full support for Google’s wearables and health features.

Runtastic offers a series of apps, services and products that revolve around health and fitness data tracking. This makes the company the ideal partner for Google’s new endeavors.

We recently discovered Android Wear apps work alongside Android apps. No extra apps need to be downloaded, they come packaged with the smartphone applications. This way, Runtastic will allow for Android Wear users to launch voice commands. You will be able to start activities while tracking time, pace, calories, distance and more.

The health app developer will not be settling with smartwatch controls. They are also integrating Android Fit support, allowing the new open platform to track Runtastics data and aggregate it along with other apps.

“This is an exciting opportunity for Runtastic as both our apps and hardware now work across Google Glass, Wear and Fit.” -Stephan Brunner, Head of Android at Runtastic.

Android wear is going all out with Google’s wearable platforms, as they are also adding support for Google Glass. You know, just in case you want to exercise with at least 3 devices on you, all working to keep your fitness data in track.

Runtastic on Google Glass would be more like a virtual trainer, though. It will help you keep track of your exercises, including push-ups, sit-ups, pull-ups and squats. The app is now available for Google Glass users, so give it a try if you happen to be one of the few Glass owners.

And if you are feeling a bit dehydrated or need to make a pit stop, you may want to know PayPal has also announced a new app for Android Wear. Users will be able to make payments, receive notifications and redeem offers. It’s currently in beta, but it should roll out to all users in the coming weeks. Not directly related, but we thought many of you would want to know this extra detail.

Source: PR Newswire, PayPal;]]>http://www.androidauthority.com/runtastic-google-glass-android-wear-google-fit-397570/feed/1What’s in the new Google Play Store? More than just PayPal support!http://www.androidauthority.com/whats-new-google-play-store-just-paypal-support-382000/
http://www.androidauthority.com/whats-new-google-play-store-just-paypal-support-382000/#commentsThu, 15 May 2014 23:33:06 +0000http://www.androidauthority.com/?p=382000

Google’s new update was all the rage this morning. The ability to pay for apps and other Google Play content via PayPal has been long requested, making today’s improvements as amazing as a frosty lemonade in the desert. We now know there is much more to this upgrade than meets the eye, though.

The latest Google Play Store version is labeled as 4.8.19 and weighs a reasonable 6.85 MB. This version has already started rolling out to devices all over the world, but most of us continue to wait for it. It might take some time before it reaches our devices, so let’s go over the other improvements and see what this upgrade is all about. You can always download the APK file from the link at the bottom of the page if you decide you can no longer live without it.

Additional Information section added

Finding an app’s extra details is a little hard on your smartphone. Unlike the web version, information like the content rating and file size is nowhere to be found. This changes with today’s Play Store update, which adds the Additional Information section to the bottom of apps’ pages.

Simplified Headers

This is one of the first changes you will notice in the new Google Play Store app. Colorful headers can be a bit overpowering, aesthetically. Google has improved the Play Store by cleaning up pages with transparent headers. This makes for a much sleeker and clean look.

This improvement also makes images smaller, as the transparent headers can easily be overlaid on top of cover art. In addition, the bar is no longer persistent persistent – it disappears as you scroll down.

Permissions are so easy to read now!

App permissions have been simplified and will now only display categories, instead of giving you all the details in a pop-up window. Users can choose to tap on said categories and get more information, if they so choose to.

Buttons take a growth pill

Did you notice the “Update All” and “Install” buttons being a little more noticeable? That is because these have grown in the latest Play Store version. Not a huge deal, but a fun fact to be noted.

Download

Now that you know what’s on the other side, you can either wait for your upgrade or you could just download the handy APK file and install it yourself!

Just in time for the world release of the Galaxy S5, PayPal announced the availability of its fingerprint-based authentication system in 25 countries.

First announced at MWC 2014, the system allows PayPal users to log in the app and authorize payments and other operations with a simple swipe over the Galaxy S5’s home button. After logging in, users have access to mobile and online payments at millions of retailers that support PayPal. Using biometric authentication is more secure and more convenient that the traditional credential system because users don’t have to memorize a complex password and don’t have to worry about people nearby seeing their credentials.

Samsung Galaxy S5 is the first phone to integrate the FIDO authentication standard, which is developed by an alliance of tech companies including Google, Microsoft, MasterCard, and Lenovo. PayPal is very keen to reassure users about the security of the payment system of the Galaxy S5:

Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique encrypted key that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers” John LunnPayPal Developer Network

PayPal also introduced a special app for the Galaxy Gear 2, Gear Neo, and the Gear Fit that lets users check their PayPal balance, receive payment notifications, and even make payments right from their wrists.

If you’re buying a Galaxy S5, PayPal is giving away $50 in a promotional campaign, that you can check by visiting this address on your smartphone. For some reason, PayPal has not published the list of countries where its new service will be available with the Galaxy S5, but we’ve contacted them and we’ll update this post as soon as we receive an answer.

Welcome back for our fourth episode of Google Play Weekly. We know this last week has been dominated with hardware news thanks to IFA. It’s been a super exciting week, especially if you’re a fan of Sony and Samsung. However, that did not stop the Google Play Store and the apps in it from doing their thing. There was some pretty exciting news, so check out the video below to see more.

Linked below are the stories from the last week. If you need more info on anything we talked about today, this is where you can find them.

Google Play Weekly Episode 4 video

]]>http://www.androidauthority.com/google-play-weekly-episode-4-266604/feed/2Google Wallet updated: Send money to friends and one click purchases on the gohttp://www.androidauthority.com/google-wallet-updated-send-money-to-friends-and-one-click-purchases-on-the-go-210736/
http://www.androidauthority.com/google-wallet-updated-send-money-to-friends-and-one-click-purchases-on-the-go-210736/#commentsThu, 16 May 2013 02:59:39 +0000http://www.androidauthority.com/?p=210736

Today, Google announced a two major updates to their Wallet platform. Google Wallet now allows you to send money to your friends quickly and securely from Google Wallet or directly from Gmail. Whoever you’re sending money too doesn’t even need to have a Gmail account to receive money and it’s completely free if you’re sending money from your Wallet balance or if you’ve linked a bank account to Wallet.

Sending money is currently only available on the desktop, however you can visit wallet.google.com on your favorite mobile device to send payments from mobile. At this time, these features are only available to US residents over the age of 18. If you don’t have access to Wallet yet, all you need is a friend to send you money as an invitation.

While you wait for a kind soul to send you money (an invite), I’ve taken some screenshots to tide you over.

As you can see above, you can now add a bank account to Wallet. It takes approximately 4 days for your bank account to get verified by Google.

When sending money, you can choose you Wallet Balance, a credit card on file, or your bank account. It’s also good to mention that at this time Google is waiving normal credit card fees during the promotional period. Remember, sending money from your Wallet Balance or bank account is always free.

After you’ve received your payment, the funds are added to your Wallet Balance, with the option to transfer the funds directly to your bank account.

If this doesn’t make you switch from PayPal to Google Wallet, Google’s second update today should sweeten the deal. Google has made shopping much easier and more secure on your Android phone. Google has added a one click checkout button. It’s just as easy as tapping the checkout button, reviewing your billing and shipping information, and tapping on submit. Of course, this all relies on the fact that the eCommerce site your using supports Wallet.

Recently Mastercard announced a new program that would impose digital wallet operator fees on PayPal, Google Wallet and others. In response to the move, Visa’s CEO Charlie Scharf said that these kinds of fees are “totally appropriate”. Does that mean that Visa is actually planning a similar move? At least as the moment, the answer is no.

According to Visa’s global head of product, Jim McCarthy, the company has no plans to implement a digital wallet fee at this point. But what about Scharf’s comment saying he didn’t think fees were such a bad idea? A Visa spokesman claims that Scharf’s comments are “more about the changing relationship with payment industry participants, rather than the potential for a specific fee.”

Why are card companies considering these kinds of fees, or in Mastercard’s case already implementing them? The big reason is that while digital wallets make the customer’s life easier, it also gets in the card company’s way of collecting data about your purchasing habits. Again, not a bad thing for the customer, but not something that makes the card companies too happy.

If the idea of fees eventually comes to all the card companies, it might make it hard for wallet services to make money of their digital wallet service. In order to bring up their profit margins they might even start imposing their own charges on the customer. Of course it is hard to really say for sure at this point.

At the moment, Mastercard is the only one who has come forward with a plan to charge wallet operators, with both Visa and Discover officially declaring they have no such plans. Again, this could change in a heartbeat as virtual wallet services continue to gain in popularity.

Groupon recently announced that Groupon Payments has been added to its Merchant app for Android phones. Groupon Payments allows merchants using the app to take credit card payments by plugging a small card reader into their smartphone. The app was first launched for iOS in December and then soft-launched for Android later that month.

Groupon Payments will allow the company to compete with Square and Paypal, among others, in the smartphone card reader space. Groupon hopes that by bundling it with its Merchants app, it will gain more traction with the help of all the other Merchants features. These other features include the ability to redeem Groupon deals, email receipts, add tips and scan barcodes.

Fees for swiping payments via Groupon Merchants are 1.8% on Visa, Mastercard, and Discover plus $.015 per transaction. The fee percentages are slightly higher if you’re not a Groupon merchant, at 2.2% at $0.15 per transaction. The charge for American Express swipes is between 2.3% and 3.5% and $0 to $.015 per transaction.

Groupon has seen its struggles recently, but their diversifying of services has paid off with an increase in share price over the last couple months or so. The company will release Q4 and full 2012 results on February 27.